I have an ntl cable modem connected to a netgear cable router which is then connected to a watchguard firebox x20e which in turn is connected to our network. They are configured as follows:-

Cable modem (non static ip 83.xxx.xxx.xx) dhcp is also on

Cable router (WAN auto ip - LAN 192.168.2.1) dhcp is on

Watchguard (WAN auto ip - LAN 192.168.1.14) dhcp is off

The internet works fine however if i try to vpn in from outside it won't connect, i know i would need a fixed ip however ntl rarely change the ip address. I think that i need to put some sort of route in on the cable router to route vpn traffic to the firebox but i dont know how to do it? or does anyone know of aother way to configure this?

12 Replies

Fixed IP, while convenient, is not absolutely necessary. I have many VPN sites that use DDNS rather than a fixed IP without any problems at all.

Before spending too much time troubleshooting this, why do you have your Watchguard behind a "cable router". Also, this should not be a cable router as you already have a cable modem. I will assume that this is just a regular router hooked to you cable and is not duplicating the cable modem functionality as well.

Yep, what Scott said. In most cases your firewall should be able to hook directly into your cable modem, so you can get rid of the router. Otherwise you will need to put the router in a bridge mode or something similar so that the IP and traffic is passed directly to the firewall.

I have Pix devices at most of my locations, and I have one site that has cable that the Pix could not log into for some reason, so I have a Linksys cable router in bridge mode between the modem and the Pix, so it can work, just adds another piece that in most cases is not neccesary.

Kyle, what Netgear model are you using? Netgear routers must have VPN forwarding turned on or they will block by default. Also, why use both devices. A nice Netgear ProSafe will do the job of both for a lot less money.

Christopher, I have a few places using a setup like this to create a DMZ/personal network on the outside and a secure network on the inside. But what a pain it is to keep running.

I did have the cable modem connected directly to the watchguard but when i did this the modem said it wasnt activated even though it was so i though i needed to have a router in between them - when i did this i had no problems with internet access. The netgear router is a RP614, any ideas what i should do?

Either a bridge mode or put the firewall in the DMZ on your router and make sure it is set up to give that external IP to the firewall. I dunno much about NetGear equipment, maybe Scott can tell you how to actually go about it.

It is worth noting that some cable modems will not do routing and are design specifically to be connected to one PC hence the need for a cable router, is the watchguard firebox capable of doing the routing?

Kyle - Before really being able to help we have to know the VPN type. The range of possibilities with VPNs is rather large. I am guessing that this is IPSec to the Watchguard but verification would be handy.

Kyle, the RP614 is a consumer router and not a business unit like a Netgear ProSafe. From looking at its documentation it does not support IPSec passthrough nor does it have a bridge mode that I can find.

If you are using something other than IPSec then you should be able to pass by port forwarding. This is simple with an SSL VPN or PPTP, for example.

Can you try establishing your VPN from the inside out rather than from the outside in?